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Failure  Detection  and  Identification 
in  Linear  Time-Invariant  Systems 
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ALAN  S.  WILLSKY 

MASSACHUSETTS  INSTITUTE  OF  TECHNOLOGY 


Abstract 


A  solution  to  the  problem  of  detecting  and  identifying  control  system  component 
failures  in  linear  time-invariant  systems  is  given  using  the  geometric  concept  of  an 
unobservability  subspace.  Conditions  are  developed  under  which  it  is  possible  to  design 
a  causal  linear  processor  that  can  be  used  to  detect  and  uniquely  identify  a  component 
failure  in  a  linear  time-invariant  system,  assuming  either  i)  the  components  can  fail 
simultaneously,  or  ii)  the  components  can  fail  only  one  at  a  time.  Explicit  design 
algorithms  are  provided  when  those  conditions  are  satisfied.  In  addition  to  the  time 
domain  solvability  conditions,  the  frequency  domain  interpretation  of  the  results  are 
given,  and  connection  is  drawn  with  the  results  already  available  in  the  literature. 
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1.  Introduction 

In  many  applications  high  reliability  control  systems  are  necessary.  In  some  space 
missions,  for  example,  a  system  with  hundreds  of  components  is  required  to  operate  for 
a  period  of  several  years.  Such  systems  must  naturally  employ  highly  sophisticated 
fault  tolerant  control  systems  (FTCS)  with  redundant  capacity  to  perform  a  given  task. 
The  need  for  very  high  reliability  has  led  to  extensive  research  into  design  of  systems 
that  can  do  their  job  using  more  than  one  configuration  of  their  components. 

Currently  there  are  two  different  approaches  to  the  design  of  reliable  systems.  In  the 
first  approach,  the  objective  is  to  reduce  the  dependence  of  the  system  on  the  operation 
of  individual  components  and  develop  systems  that  remain  operational  even  in  the 
presence  of  a  failure  without  any  corrective  action  being  undertaken.  A  few  examples  of 
this  passive  approach  to  FTCS  are  quadriplexed  fly-by-wire  digital  flight  control  systems 
and  the  mid-value  select  algorithm. 

Instead  of  triplicating  or  quadriplicating  the  expensive  hardware  components  or 
sacrificing  the  performance  of  the  system  under  nominal  operating  conditions  in  order  to 
gain  fault  tolerant  capability,  one  can  first  detect  and  identify  the  failed  component 
using  additional  information  processing  and  then  reconfigure  the  system  to  accommodate 
the  failure.  Clearly,  this  active  approach  requires  more  complex  information  processing 
capabilities,  but  with  increasing  availability  of  low  cost  digital  computers  this  will  be 
the  preferred  approach-  especially  if  it  can  result  in  superior  performance. 

The  integral  part  of  an  FTCS  is  failure  detection  and  identification  (FDI).  An  FDI 
process  essentially  consists  of  two  stages.  The  first  stage  is  residual  generation,  and  the 
second  stage  involves  using  the  residuals  to  make  the  appropriate  decisions.  In  this 
work  we  shall  only  concentrate  on  residual  generation,  and  refer  the  reader  to  the 
extensive  literature  available  for  the  decision  making  phase  of  FDI  (see  [23],  [10],  and 
[20]  for  comprehensive  surveys). 


The  output  of  a  residual  generator  is  by  definition  a  function  of  time  that  is 
nominally  zero  or  close  to  zero  when  no  failure  is  present,  but  is  distinguish&bly 
different  from  zero  when  a  component  of  the  system  fails.  For  example,  a  simple 
residual  can  be  generated  by  differencing  the  outputs  of  two  identical  sensors  that 
measure  the  same  quantity.  A  failure  of  either  sensor  corrupts  the  residual  and  this  can 
be  used  to  detect  a  failure.  The  process  of  generating  the  residuals  from  relationships 
among  instantaneous  outputs  of  sensors  is  usually  called  direct  redundancy.  Two 
examples  where  direct  redundancy  was  exploited  are  [7,  8]. 

It  is  also  possible  to  generate  the  residuals  using  temporal  redundancy,  which  is  the 
process  of  exploiting  the  relationships  among  the  histories  of  sensor  outputs  and 
actuator  inputs.  This  is  usually  done  by  using  a  hypothesized  model  of  the  dynamics  of 
the  system  to  relate  sensor  outputs  and  actuator  inputs  at  different  instants  of  time. 
We  refer  the  reader  to  [6]  for  an  example  of  the  use  of  temporal  redundancy  in  residual 
generation. 

Among  all  methods  that  employ  temporal  redundancy,  two  are  distinguished  as  being 
applicable  both  to  sensor  and  actuator  FDI  and,  in  addition,  not  requiring  any 
assumption  about  how  the  failed  component  behaves.  These  are  the  methods  of 
generalized  parity  relations,  first  studied  by  Chow  [4,  5j  and  later  extended  by  Lou 
[12,  13],  and  the  failure  detection  filter  introduced  by  Beard  [2],  which  was  later 
amplifed  by  Jones  [ll]  and  recently  revisited  by  Massoumnia  [14]. 

Each  of  these  two  methods  involves  the  design  of  a  linear  processor  of  a  particular 
type  of  structure.  In  failure  detection  and  identification  filters,  the  linear  processor  is  a 
full  order  observer,  with  the  residuals  taken  to  be  the  innovations  of  the  observer.  The 
design  procedure  consists  of  choosing  the  observer  gain  so  that  failures  of  different 
system  components  affect  the  residuals  in  linearly  independent  directions  (hence  greatly 
simplifying  the  subsequent  decision-making  process).  The  restriction  to  the  class  of  full- 
state  observer  is,  as  we  shall  see,  a  rather  severe  constraint,  as  it  not  only  restricts 
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significantly  the  class  of  problems  that  have  solutions  (the  set  of  possible  failure  modes 
must  satisfy  a  strong  mutual  detectability  (cf.  [14])  condition),  but  it  also  makes  the 
design  process  and  the  nature  of  the  FDI  problem  appear  more  complicated  than  they 
should. 

In  the  case  of  generalized  parity  checks,  the  concept  behind  the  design  process  is 
excedingly  simple:  we  seek  residuals  generated  by  forming  linear  combinations  of  a  finite 
window  of  sensor  output  and  applied  input  values  so  that  all  of  the  residuals  are  zero 
when  the  components  are  functioning  perfectly,  but  a  particular  subset  of  the  residuals 
deviate  from  zero  when  a  particular  system  component  fails.  Again  the  class  of  linear 
processors  considered  in  this  design  procedure  is  severely  restricted  and  does  not,  for 
example,  allow  one  much  freedom  in  adjusting  any  free  parameters  to  optimize  noise 
rejection. 

In  this  paper  we  remove  the  constraints  imposed  in  these  previous  studies.  In 
particular,  the  only  constraint  we  place  on  our  residual  generation  mechanism  are:  (a) 
they  produce  residuals  with  the  same  desirable  properties  as  in  previous  studies,  namely 
that  particular  residuals  are  sensitive  only  to  particular  component  failure  modes;  and 
(b)  the  mechanism  must  be  a  finite-dimensional,  linear,  time-invariant  causal  system-- 
i.e.,  we  do  not  restrict  ourselves  to  the  far  smaller  classes  of  processors  considered  in 
previous  work.  As  we  shall  see,  within  this  setting  it  is  possible  to  construct  such 
processors  to  uniquely  identify  failures  under  less  restrictive  conditions  than  those 
previously  reported. 

For  solving  the  problem  of  residual  generation,  we  shall  rely  heavily  on  a  few 
geometric  concepts.  Most  of  these  concepts  are  dual  to  the  ones  already  developed  in 
the  control  literature.  In  fact,  by  extending  the  results  of  [14],  we  more  fully  exploit  the 
dual  relationship  and  the  subtle  differences  between  the  residual  generation  problem  and 
the  control  decoupling  problem  [9,  24]. 


We  begin  in  Section  2  by  formulating  the  problem  of  residual  generation,  and  show 


how  both  sensor  and  actuator  failures  and  also  changes  in  the  system  parameters  can  be 
modeled  in  a  unified  manner  as  actuator  failures.  In  Section  3,  the  fundamental  problem 
of  residual  generation  L  defined.  In  this  problem  it  is  assumed  that  there  are  only  two 
possible  faulty  components  and  it  is  desired  to  generate  a  residual  that  is  affected  by  the 
failure  of  the  first  component  but  not  by  the  failure  of  the  second  component.  By 
comparing  this  residual  with  a  threshold  one  can  decide  whether  the  first  component  is 
operating  properly  or  not.  In  Section  4,  the  fundamental  problem  of  residual  generation 
is  extended  to  the  case  of  multiple  simultaneous  failures.  The  solvability  condition  of 
this  problem  leads  to  the  introduction  of  the  fundamental  system  theoretic  concept  of  a 
strongly  identifiable  family  of  failure  events.  In  Section  6,  the  most  general  form  of  the 
FDI  problem  (within  the  framework  stated  in  Section  2)  is  solved.  The  solution  of  this 
problem  leads  to  the  introduction  of.  the  concept  of  an  identifiable  family  of  failure 
events. 

Before  proceeding  with  a  complete  formulation  of  the  failure  detection  and 
identification  problem,  we  review  our  notation.  Throughout  the  paper  real  vector 
spaces  are  denoted  by  script  letters  X,  y,  Z,  and  their  typical  elements  by  x,  y,  The 
symbol  d(X)  denotes  the  dimension  of  X.  Matrices  and  linear  maps  are  all  represented 
by  capital  italic  letters,  e.g.,  A,  B,  C .  For  an  arbitrary  map  L,  the  symbol  Im  L  denotes 
the  image  of  L;  from  time  to  time  the  subspace  Im  L  is  denoted  by  L.  Also  Ker  L 
denotes  the  null  space  of  L.  The  maps  A  :  X  —  X,  B  :  U  -*  X,  and  C :  X  —  y 
(d(JT)  =  n,  d(U)  =  m,  d(y)  =  l)  are  fixed  throughout  and  are  associated  with  the 
"system  (C,A,B)n ,  namely 

i(t)  =  Az(t)  +  Bu(t),  y(t)  =  C  x(t). 

The  spectrum  of  A  is  denoted  by  <r(A)  and  W  denotes  union  with  any  common 
elements  repeated.  We  say  a  set  .1  is  symmetric  if  X  £  .1  implies  X*  E  -1  where  * 
denotes  the  complex  conjugate.  With  k  a  positive  integer,  k  will  denote  the  finite  set 

{1,2,...,/:},  and  k- 1  =  { 1 . k—l}.  Moreover,  the  Laplace  transform  of  an 

arbitrary  function  rn(f)  is  denoted  by  m(s). 


2.  Failure  Representation  and  Problem  Formulation 

Assume  our  nominal  linear  time-invariant  (LTI)  system  is  described  by  the  state- 
space  model 

x{t)  =  A  x{t)  +  Bu(t), 

y(/)  =  Cx(<).  (1) 

Here  x(f)  £  X,  u(f)  €  U ,  and  y(t)  £  y  with  the  dimensions  of  X ,  U,  and  y  being  n,  m,  and 
/  respectively.  The  nominal  input  u(t)  to  the  plant  and  the  measurement  y(t)  are 
assumed  to  be  known  and  will  be  referred  to  as  the  observables  of  the  system. 

Now  assume  that  some  unknown  disturbances  affect  the  behavior  of  the  plant.  These 
disturbances  can  be  sensor  failures  and  disturbances  at  the  output,  which  directly 
corrupt  the  measurement  y{t),  or  they  can  be  actuator  failures  and  external  input 
disturbances,  which  will  show  up  in  y(t)  after  their  effects  are  integrated  through  the 
dynamics  of  the  system.  The  most  general  form  of  disturbances  that  can  affect  the 
output  of  the  system  shown  in  (1)  can  be  represented  as  follows: 

i(f)  =  A  x(f)  +  B  u(<)  + 

y(f)  =  Cx(/)  +  ^.l/tnl<<).  (2) 

Here  rn{(t)  £  M,  (d(M,)  =  k{)  and  n,(f)  £  .V,  =  g,)  are  unknown  functions  of  time 

and  can  be  arbitrary.  However,  when  no  failure  or  disturbance  is  present,  m,(f)  and 
nt\t)  are  all,  by  definition,  equal  to  zero.  We  refer  to  the  functions  mt{t)  and  n,|/)  as 
failure  modes. 

In  order  to  model  the  effect  of  failures  in  the  j-th  actuator,  simply  set  Lx  =  Bj  where 
Bj  is  the  j-th  column  of  the  control  effectiveness  matrix  B.  for  example,  if  the  actuator 
does  not  respond  to  the  applied  input,  then  mj(0  =  —  «y(0  where  Uj\t)  is  the  j-th 
element  of  the  input  vector  u(f)-  If  the  actuator  has  a  bias  6,  then  m^l)  =  6.  If  the 
actuator  becomes  stuck  at  a  value  h,  then  m^t)  =  h—uj  (t).  Because  we  do  not 
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constrain  mt{t)  to  any  special  function  class,  a  wide  variety  of  actuator  failure  modes 
fits  this  representation.  From  now  on  we  shall  refer  to  the  maps  £,• :  Af,  -*  X  as 
actuator  failure  signatures.  -Note  that  .the  failure  signatures  Lt-  can  be  matrices,  and  are 
not  constrained  to  just  being  vectors. 


We  can  also  model  a  change  in  the  dynamics  of  the  plant,  i.e.,  a  change  in  the  A 


matrix,  by  choosing  L,  appropriately;  in  this  case  m,(l)  will  be  a  linear  combination  of 
the  states  of  the  system  x(t).  Thus,  as  far  as  failure  modeling  is  concerned,  a  change  in 
the  dynamics  of  the  system  can  be  modeled  in  the  same  manner  as  an  actuator  failure. 
The  term  actuator  failure  will  therefore  be  used  to  refer  to  any  failure  event  that  can  be 
modeled  by  choosing  Li  appropriately. 

Similarly,  to  model  the  failure  of  the  j-th  sensor,  simply  set  J j  =  ej  where  ej  is  the  j- 
th  column  of  the  Ixl  identity  matrix.  If  for  instance  the  sensor  fails  completely,  i.e., 
gives  a  zero  output,  then  Hj(<)  =  —cjx(t)  where  cj  is  the  j-th  row  of  the  measurement 
matrix  C.  As  should  be  clear  by  now,  this  representation  can  be  used  to  model  a  wide 
variety  of  sensor  failure  modes.  Moreover,  as  in  the  case  of  actuator  failures,  the  Jt  can 
be  matrices,  and  are  not  constrained  to  be  vectors.  From  now  on  we  shall  refer  to  the 
maps  Ji :  >/,  — *  y  as  sensor  failure  signatures. 

One  major  distnction  between  our  approach  to  failure  modeling  and  the  majority  of 
approaches  reported  in  the  literature  is  that  we  do  not  assume  any  a  priori  mode  of 
component  failure,  i.e.,  m,(/)  and  in  (2)  can  be  arbitrary.  However,  here  it  is 
assumed  that  the  failure  can  be  represented  by  choosing  an  appropriate  Lt  or  Jt.  Note 
that  the  same  assumption  was  the  basis  for  the  work  of  Beard  and  Jones  (2,  II] 

Since  the  rnt(t)  and  are  arbitrary,  there  is  no  loss  of  generality  in  assuming  (as 
we  shall  from  now  on)  that  the  failure  signatures  are  one-to-one.  We  shall  at  times 
make  the  assumption  that  the  failure  modes  are  generic  in  a  sense  that  will  be  specified 
when  the  occasion  arises. 


MMWWKWS me 
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We  shall  also  find  it  more  convenient  to  represent  sensor  failures  by  pseudo-actuator 
failures,  as  described  next.  In  particluar,  note  that,  without  loss  of  generality,  it  can  be 
assumed  that  the  unknown  function  n{(t)  is  the  output  of  some  linear  time-invariant 
system  £,•  with  impulse  response  ht{t,r)  and  some  arbitrary  input  st{t).  The  only 
restriction  on  Ei  is  that  it  should  be  right  invertible  so  that  for  any  n,(/)  there  exists  an 
«,•(*)  such  that 

nt{t)  =  f‘Q  h(t,r)  a,(r)  dr,  t  >  0. 

For  the  case  where  the  nt(t)  are  simply  scalars,  we  can  assume  without  loss  of  generality 
that 


n,(0  =  a,  n,(f)  +  «,<<) 

for  some  scalars  a,  and  unknown  functions  s,(£).  If  the  dynamics  of  the  systems 
generating  the  sensor  failure  modes  are  added  to  the  dynamics  of  the  system,  the  sensor 
failures  can  be  represented  as  actuator  failures.  In  this  augmented  representation,  st(t) 
appears  as  a  pseudo-actuator  failure  mode  and  consequently  no  sensor  failure  signature 
will  be  present.  Hence,  all  the  analysis  that  follows  uses  the  model 

x  (f)  =  A  x(/)  +  B  u(t)  +  £*=1 

y(t)  =  Cx(t).  (3) 

It  is  assumed  that  the  maps  A,  B,  L ,,  and  C  have  already  been  appropriately  modified 
so  that  the  sensor  failures  are  properly  represented  as  pseudo-actuator  failures.  One 
caveat  is  that  the  augmented  model  (3)  may  not  be  observable  even  if  the  systems  in  (2) 
was  observable.  However,  by  properly  choosing  the  augmented  dynamics  so  that  they 
do  not  coincide  with  the  spectrum  of  A  in  (2),  it  is  always  possible  to  get  an  observable 
augmented  model  if  the  unagumented  system  was  observable. 

Considering  now  the  system  in  (3),  we  define  the  failure  detection  and  identification 
filter  problem  (FDIFP)  as  the  problem  of  designing  a  dynamic  residual  generator.  -r, 
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that  takes  the  observables  u(t)  and  y(t)  as  inputs  and  generates  a  set  of  residual  vectors 
riU)  (*  €  p)  with  the  following  properties: 


1.  When  no  failure  is  present,  the  residuals  r,(<)  (*  G  p)  are  identically  equal  to 
zero.  Hence,  the  net  transmission  from  the  input  of  the  system  u(t)  to  the 
residuals  r,(<)  (*  G  p)  should  be  zero. 

2.  When  the  j-th  component  fails  (i.e.,  mj  (t)  5^  0),  the  residuals  r^(<)  for  «  6  flj 
should  be  nonzero,  and  the  other  residuals  ra(f),  s  G  p— • flj,  all  should  be 
identically  equal  to  zero.  Here  the  family  of  coding  seta  flj  C  p  [j  G  k)  are 
to  be  chosen  such  that  we  can  uniquely  identify  the  failed  component  or 
components  by  knowing  which  of  the  r,(/)  are  zero  or  not. 

We  say  more  about  the  coding  sets  flj  later  in  this  section  and  also  in  Section  6.  A 
block  diagram  of  an  FDIF  is  given  in  Figure  2-1. 


Sensor  and  Actuator 
Fai lures 


m(t) 


Act  uat  or 
Commands.  . 


u(  t) 


Measurement  s 


y(t) 


u(t) 


Res idual 
Generat  or 


rl<l>  o 

o  Res idua 1 s 

o 


rp(  t  ) 


Figure  2-1;  Block  Diagram  of  an  FDIF 

Note  that  in  the  general  problem  there  is  no  constraint  on  the  number  p  of  the 
residuals. 


If  we  can  generate  a  set  of  residuals  with  the  above  properties,  then  the  identification 
task  is  trivial.  One  needs  only  to  compare  the  magnitudes  of  the  residuals  against  some 
appropriate  thresholds  to  decide  which  ones  correspond  to  responses  to  actual  failures, 


and  then  by  referring  to  the  table  of  the  coding  sets  one  can  identify  the  failure,  if  a 
failure  is  present. 

One  important  design  consideration  is  how  to  choose  the  coding  sets  17,.  The 
simplest  choice  is  just  to  take  p=k  and  17  •=  {j}  (j  G  k),  i.e.,  to  let  precisely  one  of  the 
residuals  be  nonzero  for  any  one  failure.  In  addition,  this  coding  scheme  enables  us  to 
detect  and  correctly  identify  simultaneous  failures.  In  Sections  5  and  6,  we  shall  go  over 
more  complicated  coding  schemes.  It  should  be  noted  that  with  some  coding  schemes  it 
is  not  possible  to  detect  and  identify  the  presence  of  simultaneous  failures.  As  a  matter 
of  fact,  for  some  coding  sets,  simultaneous  failures  can  lead  to  identification  of  the 
wrong  component  as  failed.  However,  no  matter  what  coding  sets  are  used,  there  are 
families  of  components  for  which  a  failure  of  a  component  within  the  family  cannot  be 
uniquely  identified.  This  fundamental  limitation  will  be  discussed  in  Section  6. 

Now,  consider  the  most  general  form  of  a  realizable  LTI  processor  that  takes  y(t)  and 
«(<)  as  inputs  and  generates  a  set  of  residuals  r,(f)  (»  G  p)  as  outputs, 

«'(<)  =  F  ui 0  -  E  y(t)  +  G  u(t), 

r,(0  =  Mi  w[t)  -  Hi  y(t )  +  u(t),  i  G  p, 

r(0  =  [r1,(0,  ...,rpW.  (4) 

Here  r,(f)  G  and  r(f)  G  %  ©  •  •  •  ©  %p-  Also  the  minus  signs  in  E  and  Hi 

are  just  chosen  for  convenience  in  what  follows. 

We  can  now  restate  FDIFP  as  the  problem  of  finding  F,  E,  G,  A/,,  A.*,,  and  //,  in  (4) 
such  that  the  transfer  matrices  relating  the  m,(f)  and  rt(t)  have  the  properties 
mentioned  previously  that  enable  us  to  determiine  from  the  residuals  r,(<)  which  of  the 
TTij(t)  are  nonzero. 

Before  proceeding  with  the  solution  of  FDIFP,  we  review  a  few  geometric  concepts 
that  will  be  useful  in  solving  the  problem. 
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A  subspace  S  C  X  is  termed  -4-invariant  if  A  S  C  S .  Let  SC  I  be  .4-invariant;  we 
write  A :  S  for  the  restriction  of  A  to  S,  and  A  :  X/S  for  the  map  induced  by  A  on  the 
factor  space  X/S.  Moreover,  if  S  and  T are  both  -4-invariant  subspaces  and  SC  T  we 
write  A :  T/S  for  the  operator  induced  by  the  restriction  of  A  to  7  on  the  factor  space 
T/S. 

We  write  B  =  lmB  and  <A[B>  =  B  +  AB  +  •  •  •  +  An-1B  for  the  infimal 
-4-invariant  subspace  containing  B,  i.e.,  the  reachable  subspace  of  (.4,#).  We  write 
K  =  Ker  C  and  <K’|A>  =  K  D  A~lK  n  •  •  •  fl  A-n+1JC  for  the  supremal  -4-invariant 
subspace  contained  in  K,  i.e.,  the  unobservable  subspace  of  (C,A). 

We  say  a  subspace  W  C  X  is  (C,  A)- invariant  if  there  exists  a  map  D  :  y  — »  X  such 
that  (A+DC)  W  C  W  [1,  22,  24].  Let  IN  be  (C.A)-invariant;  we  denote  by  D(  V)  the  class 
of  all  maps  D  such  that  ( A+DC )  WC  W.  Let  L  C  X;  we  denote  the  family  of 
(C,A)-invariant  subspaces  containing  L  by  ]W(L).  The  family  l^L)  is  closed  under 
intersection;  hence,  W(L)  contains  an  infimal  element  "W*  :=  inf  ]^L)  [22].  Also 
W*  =  lim  W*  where  is  given  by  the  following  recursive  algorithm  [24] 

=  L  +A  (#  n  Ker  C),  =  0.  (5) 

We  say  a  subspace  S  C  X  is  a  (C,A)  unobscrvability  subspace  (u.o.s.)  (complementary 
observability  subspace  according  to  [22])  if  S  =  <Ker  HC\A+DC>  for  some  output 
injection  map  D :  y  -*■  X  and  measurement  mixing  map  H :  y  -*  j/  [15,  22].  Note 
that  S  is  the  unobservable  subspace  of  the  pair  (HC,A+DC),  and  the  spectrum  of 
A+DC :  X/S  can  be  assigned  to  an  arbitrary  symmetric  set  by  appropriate  choice  of  D 
[15].  We  use  the  notation  S(L)  for  the  class  of  u.o.s. 's  containing  L.  The  class  5(1)  is 
closed  under  intersection;  it  therefore  contains  an  infimal  element  S*  :=  inf  S(L) 
(22,  24].  Also  5*  =  lim  $k  where  Sk  is  given  by  the  following  recursive  algorithm  [24] 


Sk+y  =,  w*  +  (A~lS*)  n  KerC,  S  0  =  X. 


(6) 
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Moreover,  for  any  D  €  #($*). 

5*  =  <Ker  C  +  S*\A+DC>.  (7) 

Let  {Wit  i  £  k}  be  a  family  of  (C,A)-invariant  subspaces  of  X.  We  say  {W(,  i  £  k}  is 
compatible  (cf.  [14])  if 

n*_,  2(*U  /  » , 

i.e.,  if  there  exists  a  D  such  that  every  W,  is  (A+Z)C')-invariant. 

Using  the  above  geometric  concepts,  we  first  solve  a  restricted  version  of  the  FDIFP 
in  Secton  3.  The  solution  to  this  problem  will  then  be  used  to  tackle  more  general 
problems  in  the  sections  that  follow. 

3.  The  Fundamental  Problem  in  Residual  Generation 

In  this  section,  we  assume  that  only  two  failure  events  are  present,  and  examine  when 
one  can  design  a  residual  generator  that  is  sensitive  to  the  failure  of  the  first  actuator 
but  is  insensitive  to  the  failure  of  the  second  actuator.  This  restricted  version  of  FDIFP 
will  be  called  the  fundamental  problem  in  residual  generation  (FPRG).  Later  on,  FPRG 
will  be  extended  to  more  general  cases. 

Consider  the  model  given  in  (3)  with  k  =  2, 
i(t)  =  A  x(t)  +  B  u(t)  +  Lj  rri|(/)  +  L2  m2(t ), 

y(t)  =  Cx(t).  (8) 

The  dimensions  of  the  maps  shown  in  (8)  are  the  same  as  the  ones  given  in  (I)  and  (2). 
It  is  desired  that  a  nonzero  m^t)  should  show  up  in  the  output  r(f)  of  the  residual 
generator,  while  a  nonzero  m.,(f)  should  not  affect  r(f).  As  usual,  our  observables  are 
the  measurement  y(t)  6  y  and  the  known  actuation  signal  u(t)  €  U. 
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Now  consider  a  residual  generator  of  the  form 
tn(0  =  F  w(t)  -  E  y{t)  +  G  u(t), 

r{t)  =  M  vu(t)  -  H  y(t)  +  K  u(t).  (9) 


Note  that  this  is  the  most  general  form  of  a  realizable  LTI  processor  that  takes  the 
observables  y(t )  and  u(t )  as  inputs  and  generates  a  residual  r(t). 

First  combine  (8)  and  (9)  as  follows: 


x(t) 

A  0 

*{t) 

B  L2  ' 

'  «(<)  ' 

’Ll' 

= 

+ 

4- 

>(0. 

-EC  F 

.  mo  . 

G  0 

m2(t) 

0 

"MO. 


r(t)  =  {  -HC  Af  ] 


x(t) 

L  MO 


+  {  K  0  J 


«(0 

m2(f) 


(10) 


Define  the  extended  spaces  Xe  X  0  Van d  Ue  =  U  0  X2-  Let  x*  —  (x- 
and  ue  :=  (u,  m2)  €  Me.  Equation  (10)  can  then  be  rewritten  as  follows: 

*'(/)  =  -4exe(0  +  &  «e(0  + 

r(t)  =  Heze[t)  +  Keue{t),  (11) 


where  the  definition  of  the  matrices  Ae,  Le ,  5*,  //',  and  Ke  are  evident  from  (10). 


Now  we  formalize  the  statement  that  the  failure  of  the  first  component  should 
showup  in  the  residual  r(f),  i.e.,  that  a  nonzero  m^O  should  showup  in  r{t).  There  are 
several  possible  mathematically  unequivalent  formulation  of  the  above  statement.  The 
most  natural  formulation  is  to  require  that  the  transfer  matrix  from  "»|(s)  to  r(s)  to  be 
left  invertible  so  that  any  nonzero  mrft)  results  in  a  nonzero  rft). 

However,  another  approach  is  to  only  require  that  the  system  relating  mj(f)  to  rft)  to 
be  input  observable.  Recall  that  a  system  ( C.A.B )  is  input  observable  if  B  is  monic  and 


> ■  y; 
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the  image  of  B  does  not  intersect  the  unobservable  subspace  of  (C,A).  In  terms  of 
transfer  matrices, this  is  equivalent  to  the  requirement  that  the  columns  of  C(al—  A)~lB 
should  be  linearly  independent  over  the  field  of  real  numbers.  We  note  that  even  if  the 
system  relating  m^f)  to  r(f)  is  not  left  invertible  but  is  only  input  observable,  it  will  be 
extremely  unlikely  that  an  arbitrary  nonzero  m^f)  will  hide  itself  for  all  t  in  the  null 
space  of  the  mapping  from  m^f)  to  r(t)  so  that  the  failure  can  not  be  detected.  Hence, 
if  we  only  require  input  obvservability,  then  almost  any  nonzero  mj{f)  will  produce  a 
nonzero  residual  r(/).  Therefore,  it  may  be  argued  that  the  ideal  requirement  of  left 
invertibility  is  somewhat  of  an  overkill  for  failure  detection  and  identification  purposes. 

It  may  be  further  argued  that  we  can  even  relax  the  condition  of  input  observability 
and  require  only  that  the  transfer  matrix  from  m^s)  to  r(s)  to  be  nonzero.  However,  it 
will  then  generally  not  be  possible  to  reconstruct  m^t)  from  r{t).  By  contrast,  input 
observability  implies  that  if  the  failure  mode  m^t)  has  some  rather  mild  properties,  then 
it  is  possible  to  reconstruct  m^f)  from  r{t).  Note  that  during  the  failure 
accommodation,  the  one-to-one  relation  between  m^f)  and  r{t)  can  be  very  valuable, 
since  we  can  theoretically  determine  m^f)  from  r(f)  and  hence  compensate  for  its 
adverse  effects. 

Finally,  if  we  are  dealing  with  a  single-input  multi-output  system,  i.e.,  if  the  transfer 
matrix  is  simply  a  column  vector,  then  input  observability  automatically  implies  left 
invertibility.  In  the  context  of  the  FDI  problem,  the  transfer  matrix  T[s)  relating  rn^s) 
to  r(s)  is  usually  a  column  vector  (or  a  scalar),  since  the  failure  signature  Lx  is  usually  a 
column  vector.  Therefore,  in  the  FDI  problem  the  input  observability  of  T[s)  is 
typically  equivalent  to  its  Ufa  invertibility. 

Based  on  these  arguments,  we  state  FPRG  as  follows.  Consider  the  system  given  in 
(10)  and  (11).  FPRG  is  the  problem  of  finding  F,  E,  G,  M,  H,  and  K  such  that: 

uf  =  (u,  m.i)  •—  r  =  0,  ( 12) 
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ml>-+  r  input  observable. 


(13) 


Furthermore,  when  the  condition  in  (12)  is  satisfied  and  the  first  actuator  is  functioning 
properly,  all  signals  r(l)  obtainable  by  varying  the  initial  conditions  r(0)  and  tv(0)  are 
exactly  those  outputs  obtainable  by  varying  the  initial  condition  c(0)  of  e  =  F0  e, 
r  =  Xf0e,  for  some  observable  pair  (M0,FQ).  The  spectrum  of  F0  determines  the 
dynamics  of  the  residual  generator.  In  addition  to  the  conditions  in  ((12)  and  (13)  we 
shall  require  that,  the  dynamics  of  the  residual  generator  be  stable. 

We  need  a  few  preliminary  results  for  deriving  the  solvability  condition  for  FPRG. 
First,  let  Xe  be  as  defined  previously  in  this  section.  With  x  6  X,  define  the  embedding 
map  Q  :  X  -*  Xe  as  follows: 

<?*  =  Ijl-  (14) 

Note  that  if  V  C  Xe ;  then 

g->v={i:i  €  r&|Ji  <=  V}. 


Less  precisely,  Q  lV  is  the  intersection  of  the  subspaces  V  and  X. 


Using  the  above  definitions,  it  is-  relatively  simple  to  relate  the  unobservability 
subspaces  of  the  systems  in  (11)  and  (8).  The  following  fundamental  result,  which 
exactly  accomplishes  this  task,  is  crucial  to  the  solvability  condition  of  FPRG. 

Proposition  1:  Let  Se  be  the  unobservable  subspace  of  (Wf..4f);  then 
Q~lSe  is  a  (C,/l)  unobservability  subspace  [21,  19,  18). 

With  this  result  at  our  disposal,  the  solvability  condition  is  immediate. 

Theorem  2:  FPRG  has  a  solution  if  and  only  if 

s*n  L!  =  o,  lib) 


3 


3 


< 


■f 
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where  S*  =  inf  S(L2).  Also  if  (16)  holds,  then  the  dynamic  of  the  residual 
generator  can  be  assigned  arbitrarily. 

Proof:  (only  if)  Consider  the  systems  given  in  (11)  and  (10).  For  (12)  to 
hold,  we  should  have  Ke  =  0,  and 


<Ae|Be>  C  Se  :=  <Ker  He\Ae>. 

Equation  (17)  implies  Be  C  Se ;  hence,  Q~lBe  C  S  :=  Q~lSe  Using 
Proposition  1,  S  is  a  (C,A)  u.o.s.  Also  Q~1Be  D  C2 ■  Therefore, 

S  6  S(U).  1 

For  (13)  to  hold,  we  should  have  Le  monic  and  LeD  Sc  =  0;  thus  we  should 
have  Lj  monic  (which  we  have  assumed)  and 

"£/ 

Q-l(L'  fl  5e)  =  Q-lLen  Q~lSe 

=  I,D5  =  0.  I 

Obviously  (18)  and  (19)  hold  only  if  (16)  is  true. 

(if)  Let  D0  €  D(S*),  P:  X  -*  X/S*  be  the  canonical  projection,  and 
.4q  :=  (A+D0C :  X/S*).  Let  H  be  a  solution  of  Ker  HC  =  S*  +  Ker  C  and  A / 
be  the  unique  solution  of  MP=HC.  By  construction,  the  pair  (AL.-t^)  is 
observable,  hence  there  exists  a  Dx  such  that  <r{F)  =  .t  where  F  :=  A$+DXM 
and  .1  is  an  arbitrary  symmetric  set.  Let  D=DQ+P~rDlH,  E  =  PD. 
G  =  PB,  and  K  =  0.  Define  e(f)  =  u(f)  -  Px(t).  Then  it  simply  follows 
that 

e  =  Fe  —  PLxml, 
r  —  \fw  —  Hy  —  Me. 

Thus  rj(s)  s  —  7]s)  m(s)  with  T\s)  =  M[sl—F)~^  PLX  Obviously,  tin* 
requirement  in  (12)  is  satisfied.  Furthermore,  S*  D  Lt  =0  and  /. j  monic  imply 


U7) 


(18) 


[19) 
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that  PLj  is  monic.  Moreover,  the  pair  ( M,F)  is  observable;  hence  from  the 
definition  of  input  observability  it  follows  that  the  system  relating  m^f)  to  rff) 
is  input  observable  and  (13)  is  satisfied.  0 

i 

The  major  step  in  the  design  of  the  filter  is  to  place  the  image  of  the  second  failure 
signature  in  the  unobservable  subspace  of  the  residual  r(f),  and  then  to  factor  out  the 
unobservable  subspace  so  that  the  order  of  the  filter  is  reduced.  Also,  the  condition  ( 16) 
simply  states  that  the  image  of  the  first  failure  signature  should  not  intersect  the 
unobservable  subspace  of  the  residual  generator,  so  that  a  failure  of  the  first  actuator 
shows  up  in  the  residual  r(f). 

It  is  clear  that  the  order  of  the  residual  generator  given  in  Theorem  2  is  n—d(S*),  and 
this  order  is  in  general  conservative.  This  is  because  there  may  be  a  u.o.s.,  5,  that 
satisfies  (16)  and  contains  S*.  Clearly,  using  this  S  the  order  of  the  residual  generator 
can  be  further  reduced.  Unfortunately,  there  is  no  systematic  way  of  constructing  such 
non-infimal  unobservability  subspaces.  However,  for  the  case  of  monic  C,  the  minimal 
solution  is  easy  (see  (15|). 

The  reader  who  is  familiar  with  the  disturbance  decoupled  estimation  problem 
(DDEP)  [21,  3]  will  readily  recognize  the  relationship  between  DDEP  and  FPRG. 
However,  these  two  problems  have  subtle  differences  that  completely  distinguish  them 
from  each  other.  In  DDEP,  the  state  to  be  estimated  is  given  as  part  of  the  problem 
statement.  In  FPRG,  we  have  to  find  the  part  of  the  state  space  that  can  be  estimated 
even  in  the  presence  of  unknown  input  rMO 

An  interesting  interpretation  of  the  solution  to  FPRG  ran  be  given.  Referring  to 
Theorem  2.  the  residual  generator  can  be  rewritten  as  follows: 

n  [t)  =  Aq  nit)  -  PD0y{t)  +  C.  u(f)  +  D,rtf|. 

r\t\  =  \l  uit\  -  H  y(t\  (20| 


-  N  > 


v'  .\vlvL-  <-.v;  : 


TF.  I*. 
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Note  that  by  choosing  Dq  and  H  appropriately,  we  change  the  observability  properties 
of  (HCrA+DoC)  in  such  a  way  that  the  second  actuator  failure  becomes  unobservable 
from  the  residual.  Next,  byrinjecting-the  residual  r{t)  back  in  the  filter,  the  spectrum  of 
the  residual  generator  can  be  modified  as  desired.  Clearly,  the  residual  generator  given 
in  (20),  can  be  thought  of  as  an  observer  for  the  hypothetical  system 

*(0  =  A)  *(0  +  «/t(0, 

yh(t)  =  Mz(t),  (21) 

where  uh(t)  :=  F\Bu(t)—D0y(t))  is  the  hypothetical  input,  and  yA(Z)  :=  H  y{t)  is  the 
hypothetical  measurement.  This  interpretation  of  the  residual  generator  can  be  used 
effectively  in  computing  a  gain  D±  that  shapes  the  dynamics  of  the  residual  r{t)  in  some 
desired  fashion. 


To  illustrate  this  point,  consider  the  original  system  model  given  in  (8)  and  assume 
that  an  additive  zero-mean  white  noise  Vj(<)  with  covariance  =  R\  W-r) 

enters  the  system  as  an  input.  Also  assume  that  the  measurement  y(t)  is  corrupted  by 
an  additive  zero-mean  white  noise  v2(t)  with  covariance  £fi’.>(f)t’y(r)]  =  R26[t-T)  and 
uncorrelated' with  the  input  noise  t>j(f).  Incorporating  the  effect  of  i\  and  to  on  the 
hypothetical  system  of  (21),  we  get 


c(0  =  -4or(0  +  uh(t)  +  v3(t), 

yA(0  =  Mr(0  +  u4(0,  (->•-’> 

where  i*3(f)  :=  P[vl[t)-D0v.ijLt))  and  r4(f)  :=  Hv2(t).  Note  that  t'%  and  r4  are  now 
correlated.  A  simple  computation  shows  that  the  intensity  /?34  of  the  noise  driving  the 
system  in  (22)  is 


PRXP'+ PDqR,Dq’P  '  -  PDqR2H  ' 
-HRWq’P'  HR2H' 


(23) 


If  the  objective  now  is  to  whiten  the  residual  r(f)  (note  that  white  residuals  are  desirable 
in  the  decision  making  phase  of  FDI),  simply  design  a  steady  state  Kalman  Alter  for  the 
system  given  in  (22)  with  the  noise  statistics  in  (23).  Then  use  this  steady  state  Kalman 
gain  for  the  matrix  Z>1  of  (20). 

An  alternate  non  stochastic  approach  is  to  choose  Dx  so  that  the  transfer  matrix 
7fa)  =  \f{aI—A0—DlM)~lPLl  has  certain  nice  properties.  For  example,  it  is  not 
difficult  to  see  that  increasing  the  bandwidth  of  7(s),  which  is  desirable  for  fast 
response,  can  translate  into  low  steady  state  gain  which  can  lead  to  difficulty  in 
distinguishing  the  response  due  to  a  failure  from  that  due  to  background  noise. 
Therefore,  the  gain  matrix  can  be  used  to  find  a  compromise  between  conflicting 
objectives. 

Next  the  generic  solvability  of  FPRG  is  discussed. 

Propoaition  3:  Let  us  assume  that  A,  C ,  Lj,  and  Z,2  are  arbitrary  matrices 
with  the  respective  dimensions  nXn,  lXn,  nXfcj,  and  nXk2.  Then  FPRG 
generically  has  a  solution  if  and  only  if 

k i  +  k2  <  n,  (•>!) 

k2  <  l  (2'j) 

Proof:  The  simple  proof  is  given  in  [15]. 

Note  that  if  the  S*  defined  in  Theorem  2  is  used  to  design  a  residual  generator,  then  the 
generic  order  of  the  processor  is  n-k.,.  Also,  the  condition  given  in  (24)  is  quite 
intuitive,  since  if  fcj+fc2  >  n  then  the  image  of  Ll  and  L2  intersect,  and  hence  there 
exists  failure  modes  such  that  Ljmj(f)  =  L2m2(t).  Therefore  both  failures  affect  the 
output  exactly  the  same  way,  and  thus  they  can  not  be  distinguished  from  each  other 

Now  we  solve  a  simple  example  to  illustrate  the  design  procedure. 
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Example  1:  Consider  the  system  given  in  (8)  with 


A  = 

0  3  4' 
1  2  3 

,  Lx  — 

1 

-.5 

,  1^2  — 

’-3  ‘ 
1 

,  c  = 

’0  10‘ 

0  2  5 

.5 

0 

0  0  1 

and  B  =  [£,lt  LJ-  Now  assume  we  want  to  design  a  residual  that  is  sensitive  to  the 
failure  of  the  first  actuator,  and  is  insensitive  to  the  failure  of  the  second  actuator. 
First,  let  us  compute  S*  defined  in  Theorem  2.  Using  6, 


S*  :=  Im 


'-3  1 
1  0 
0  0 


Clearly  £1flS*  =  0;  therefore,  FPRG  is  solvable.  Now  we  follow  the  procedure 
outlined  in  Theorem  2  to  design  a  residual  generator.  One  possible  choice  for 
DqZDIS*)  is 


0  0 

0  0 

-2  0 


This  results  in  .4^  =  A+D0C :  X/S*  —  5.  Also  H  =  [0,  1)  is  an  appropriate  solution  of 
Ker  HC  =  S*  +  Ker  C.  With  this  H,  we  have  \f  =  1.  Now  if  we  choose  .1  =  {—5}  and 
continue  the  design  procedure,  we  find 

w(t)  =  -5  nit)  -  \-2,  -10]  y{t)  +  (.5,  Oj  u(f), 

r\t)  =  w(t)  -  [0,  1]  y(f).  (26) 


Note  that  if  the  first  failure  signature  had  been 


L[  =  (1,  0,  OJ 

then  clearly  L j  C  S*  and  FPRG  would  not  have  had  a  solution.  We  shall  continue  this 
example  in  the  next  subsection  after  some  additional  theoretical  developments. 
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4.  Extension  of  FPRG  to  Multiple  Failure  Events 

In  this  section  we  extend  FPRG  to  the  case  of  multiple  failures.  Let  us  assume  that  k 
failure  events  are  present,  and  we  want  to  design  a  processor  that  generates  k  residuals, 
r-(t)  ( i  £  k),  such  that  a  failure  of  the  i-th  component,  i.e.,  a  nonzero  can  only 

affect  the  i-th  residual  r,(f)  and  no  other  residuals  r;(t)  (j  7^  i).  More  precisely,  what  we 
require  is  that  the  transfer  matrix  relating  m,-(s)  to  r,(s)  should  be  input  observable,  and 
the  transfer  matrix  from  m,(s)  to  all  other  r^a)  should  be  zero. 


In  the  notation  of  Section  2,  the  problem  we  have  just  formulated  is  the  same  as  the 
FDIFP  with  the  the  coding  sets  J?,-  =  {»}  (i  £  k).  This  particular  version  of  the  FDIFP 
will  be  called  the  extension  of  the  fundamental  problem  in  residual  generation  (EFPRG). 


Obviously,  if  EFPRG  has  a  solution,  then  it  is  possible  to  detect  and  identify  even 
simultaneous  failures  with  almost  arbitrary  modes  for  each  component  failure.  Note 
that  for  identifying  simultaneous  failures,  we  need  at  least  as  many  residuals  as  there 
are  failure  events.  In  this  sense,  the  coding  set  /?,  ={*}  (i  E  k)  (or  any  permutation  of 
it)  is  minimal. 


In  a  recent  article,  Massoumnia  [14]  defined  the  similar  problem  of  designing  a 
residual  generator  of  the  form 


u»(0  =  (A+DC)  xv(t)  —  D  y{t)  +  B  u(f), 
r,(0  =  Ht{w{t)  -  y(<)), 


(27) 


such  that  a  nonzero  m,(<)  only  shows  up  in  the  residual  r,(t).  This  problem  is  a  slight 
generalization  of  the  failure  detection  filter  problem  and  was  referred  to  as  the 
restricted  diagonal  detection  filter  problem  (RDDFP)  in  [14].  Obviously,  RDDFP  is  a 
special  case  of  the  FPRG  that  we  have  formulated  here  since  in  FPRG  the  matrix  F  is 
not  restricted  to  be  of  the  form  A+DC  for  some  appropriate  gain  matrix  D  (nor  is  w 
required  to  be  of  the  same  dimension  as  x). 


The  solvability  condition  for  EFPRG  now  follows  immediately  from  that  of  the 
FPRG. 

Theorem  4:  EFPRG  has  a  solution  if  and  only  if 


Si*  D  Li  =  0,  i  G  k, 


(28) 


where  S*  :=  inf  $(£V^  LJ),  i  G  k. 

Proof:  (only  if)  The  necessity  follows  immediately  from  the  proof  of 
Theorem  2.  Just  replace  the  Lj  and  Lo  in  Theorem  2  with  Lt-  and  .  Ir¬ 

respectively. 

(if)  For  sufficiency,  the  procedure  given  in  Theorem  2  can  be  used  to  design 
k  different  residual  generators,  JCri-,  each  generating  the  residual  r ,■(/).  Let 
D{  G  /}($,*)  and  F,  =  (.4+19IC:  X/S*).  Obviously,  £>,  can  be  chosen  such 
that  <7(P,)  =  A,  for  arbitrarily  given  symmetric  sets  A,  (see  Theorem  2).  Let 
£,  s=  P,D,,  G{  =  P,B,  Hi  be  any  solution  of  Ker  Hfi  =  S,-*  4-  Ker  C,  A/,  the 
unique  solution  of  A/,P,  =  //,-C,  and  =  0.  A  simple  computation  shows 
that  r,(s)  =  —  T,(s)  m,(i)  with  r,(s)  =  M,(s/—  E,)“lP,L,.  Using  the  same 
argument  as  in  Theorem  2,  the  system  relating  m,(<)  and  r,-(f)  is  input 
observable;  thus  the  collection  of  the  residual  generators  Eri  (i  G  k),  viewed  as 
one  large  system,  is  a  solution  to  EFPRG. 


o 


A  family  of  failure  signatures  satisfying  the  conditions  in  (28)  will  be  called  a  strongly 
identifiable  family.  Theorem  4  shows  the  system  theoretic  consequences  of  this  concept; 
it  is  posiible  to  design  an  LTI  residual  generator  that  identifies  simultaneous  failures 
within  a  familly  of  failure  events  if  and  only  if  the  family  is  strongly  identifiable. 


The  order  of  the  residual  generator  given  in  Theorem  4,  i.e.,  the  sum  of  the  orders  of 
k  different  residual  generators,  can  be  quite  large.  Nevertheless,  in  this  filter,  the 
residuals  are  generated  by  k  completely  decoupled  filters,  and  there  is  a  great  deal  of 
freedom  in  choosing  the  F,  matrices  of  these  individual  residual  generators.  This 
freedom  can  be  used  to  simplify  the  decision  making  phase  of  FDI  by  enhancing  the 
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effect  of  the  failure  or  supressing  the  effect  of  noise  on  the  residual  through  the 
procedure  that  was  outlined  in  Section  3.  Now  we  proceed  with  stating  the  generic 
solvability  conditions  for  EFPRG. 

Proposition  5:  Let  us  assume  that  (A.C'.L,)  are  arbitrary  matrices  with 
dimensions  nXn,  lXn ,  and  nXk{  respectively.  Let  v  :=  £  Ar,-.  Then 

EFPRG  generically  has  a  solution  if  and  only  if 

v  <  n. 

v  —  min  {kit  i  £  k}  <  /. 

Proof:  The  simple  proof  is  given  in  [15j. 

Note  that  if  the  family  {$,-*,  i  £  k}  defined  in  Theorem  4  is  used  to  design  a  residual 
generator,  then  the  generic  order  of  the  processor  is 

=  1311 

To  illustrate  the  design  procedure  given  in  Theorem  4,  we  now  continue  Example  1  of 
Section  3. 


(29) 

(30) 


Example  2:  The  residual  generator  we  designed  previously  is  the  same  as  I7rl  of 
Theorem  4.  Therefore,  rename  the  r(f)  given  in  (26)  as  rj(f),  and  we  only  need  to  design 
the  residual  generator,  £r2>  which  is  sensitive  to  the  failure  of  the  second  actuator  but  is 
not  affected  by  the  failure  of  the  first  actuator.  Using  (6),  we  have 


and  hence  EFPRG  is  solvable.  Choosing  =  { — 2,  —3},  the  residual  generator  rr2  is 
simply 


t 


& 
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o 

■ 

’  -23  -30  ‘ 

'0  -1  ' 

u>2(0  ” 

0(0  + 

1  -7 

-9  -15 

0  1 

w2(t)=  |  |  w2(t)  -  |  |  0(0+  |  NO.  (32) 

r,(t)  =  [  0  1  J  w2(t)  -  (  1  1  ]  y(t). 

With  the  residual  r(t)  given  in  (26)  renamed  as  r^t),  (26)  and  (32)  can  be  combined  in 
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As  was  required,  mj  affects  rj  and  only  rlt  while  m2  affects  r2  and  only  r2.  It  can  also 
be  shown  that  the  transfer  function  from  u(a)  to  r(s)  is  zero;  hence,  the  nominal  input 
u(t)  does  not  affect  the  residual  r(0-  Therefore,  EFPRG  is  really  the  problem  of 
designing  a  stable,  diagonalizing  post-compensator.  0 

Motivated  by  the  last  example,  the  solvability  condition  of  the  EFPRG  in  the 
frequency  domain  is  now  developed.  For  the  remainder  of  this  section,  it  is  assumed 
that  the  failure  signatures  are  simply  column  vectors. 

We  can  rewrite  (3)  as  follows: 

Ms)  =  Gu(a)  u(s)  +  Gm(s)  m(a),  (34) 

by  taking  the  Laplace  transform  of  both  sides.  In  (34),  Gu(s)  :=  C{sl—  A)~lB, 
Gm(s)  :=  C(sl—  A)~l[Lv  .  .  .  ,Lk],  and  m(s)  =  [m^s),  .  .  .  .m^s)) The  objective  of 
EFPRG  can  now  be  restated  as  generating  a  k  dimensional  vector  r(t)  by  passing  the 
observation  vector  40  —  (iAO*  u>(0] '  through  a  causal  LTI  system  characterized  by  the 
transfer  matrix  H(s),  i.e, 

rts)  =  H{s)  4<)  =  [//Js),  f  !((«)  1.  (35) 


such  that  the  net  transmission  from  the  input  u(f)  to  the  residual  vector  r(0  >s  zero,  and 
the  failure  mode  m,(f)  only  affects  the  i-th  component  of  the  residual  vector  r(0-  In 
other  words,  the  objective  is  to  find  a  proper  post  compensator  //(s)  such  that 

tf(s)G(s)  =  [-r(s),0],  (36) 


where 


G'(s)  = 


the  0  in  (36)  is  a  kXm  matrix,  and  r(«)  is  a  kxk  diagonal  matrix  with  nonzero 
diagonal  elements  Tt{a). 

In  addition,  when  no  failure  is  present,  the  residuals  due  to  initial  conditions  in  the 
system  and  in  the  post-compensator  should  die  away  so.  The  residual  due  to  a  nonzero 
initial  condition  x(0)  is  simply  Hy(a)G  a(a)x{ 0)  where 

Ga(a)  :=  C(aI-A)-y  (38) 

Hence  the  transfer  matrix  Hy(a)Ga(a )  should  be  stable.  Also  the  residual  due  to  nonzero 
initial  conditions  of  the  post  compensator  should  die  away,  so  we  require  that  H(s )  be 
stable. 

It  is  shown  in  [15]  (also  see  [16]),  that  the  above  problem  has  a  solution  if  and  only  if 
the  transfer  matrix  Gm(a)  is  left  invertible.  In  other  words,  when  the  failure  signatures 
are  column  vectors,  the  condition  of  strong  identifiability  given  in  (28)  is  equivalent  to 
the  left  invertibility  of 

C(sI-A)-'\Lv  .  .  .  ,Lk\.  (39) 

The  reader  who  is  familar  with  the  control  decoupling  problem  [9,  24]  should  readily 
recognize  the  dual  relationship  between  the  EFPRG  and  that  problem.  Despite  of  this 
duality,  the  structure  of  the  residual  generator  proposed  in  Theorem  4  is  quite  different 
from  that  of  the  extended  decoupling  controllers  given  in  the  fundamental  reference  [24]. 
This  is  because  of  the  fact  that  here  we  are  concerned  with  designing  observers  and 
there  is  more  flexibility,  but  in  the  decoupling  problem  the  objective  is  to  design  control 
systems  and  the  problem  is  more  restrictive.  However,  it  is  interesting  to  note  that  the 
generic  order  of  the  residual  generator  given  in  (31)  is  exactly  equal  to  the  generic  order 
of  the  extended  decoupling  controller  given  in  Theorem  ?  of  [24]  if  the  matrices  involved 
are  properly  transposed. 

Now,  an  interesting  question  is  how  to  reduce  the  order  of  the  processor  given  in 


Theorem  4.  This  task  can  be  accomplished  by  either  restricting  the  structure  of  the 
residual  generator,  as  was  done  in  [14]  by  formulating  the  RDDFP,  or  by  deleting  the 
requirement  that  the  filter  should  be  capable  of  detecting  and  identifying  timultaneoua 
failures.  We  shall  follow  the  latter  path  in  the  remainder  of  this  paper,  by  considering 
more  complicated  coding  schemes  than  the  one  dealt  with  in  this  section. 

5.  Triangular  Detection  Filter  Problem 

The  first  problem  in  the  above  category  that  we  formulate  and  solve  is  the  triangular 
detection  filter  problem  (TDFP).  Consider  the  system  in  (3)  and  the  residual  generator 
(27).  In  TDFP  the  objective  is  to  design  k  residuals  r,(f)  (i  G  k)  such  that  a  nonzero  ml 
affects  rj  and  possibly  affects  r2,  .  .  .  ,rk',  a  nonzero  m2  affects  r2  without  affecting  rx 
but  possibly  affecting  r3,  .  .  .  ,rk ;  ...  finally,  a  nonzero  mk  affects  rk  without  affecting 
rlt  .  .  .  In  the  notation  of  Section  2,  this  process  of  relating  the  failure  events  to 

the  residuals  corresponds  to  the  coding  sets  J7,  =  {»}  LM,-  where  .1,  is  some  subset  of 
{i+1,  .  .  .  ,k).  The  input-output  relation  of  TDFP  is  shown  in  Figure  5-1,  which  shows 

the  origin  of  its  name. 

« 

mi(t)  - *0 


m2(  t ) 


r  2(  t) 


mk(t) 


\ 

N\ 


r  w(  t ) 


Figure  5-1:  Input  Output  Relationship  of  TDFP 


The  concept  of  TDFP  is  an  exact  dual  of  the  triangular  decoupling  control  problem 
introduced  and  solved  in  (17).  Interestingly  enough,  this  formulation  is  quite 
appropriate  for  failure  detection  and  identification  problem  if  it  is  assumed  that 
simultaneous  failures  are  not  possible.  Even  if  simultaneous  failures  do  occur,  their 


r  W  ■ 
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presence  in  the  TDFP  will  not  lead  to  incorrect  identification  as  it  may  in  other  coding 
schemes.  In  such  cases,  at  least  the  failure  of  the  component  with  hightat  priority  (i.e., 
the  mrft)  with  the  smallest  value  of  i )  can  be  correctly  identified. 

Using  the  statement  of  the  problem,  TDFP  can  be  stated  in  geometric  language  as 
follows:  Given  A,  C,  and  L,  (i  G  k),  find  an  output  injection  map  D :  y  — ►  X  and  a 
family  of  compatible  u.o.s.’s  {5,,  i  G  k}  such  that 

S,  :=  <Ker  HtC\A+DC>  =  <Ker  C  +  S,|A+DC>,  »  G  k, 


eJU+AjSS.  •'ek-i.Md  o  c  st, 

(40) 

5,  n  Li  =  0  «  €  k. 

(4M 

The  requirement  given  in  (40)  implies  that  the  failures  of  (i+l)-th  up  to  k-th  component 
should  not  affect  the  i-th  residual,  and  (41)  implies  that  the  failure  of  the  i-th 
component  should  at  least  show  up  in  the  i-th  residual.  Now  the  solvability  conditions 
of  TDFP  are  stated. 

Theorem  fl:  Let  (C.A)  be  observable.  TDFP  has  a  solution  if  and  only  if 
5,*nL,  =0,  i  G  k, 

where  S*  :=  inf  Lj)  (i  G  k-1),  and  Sk *  =  0.  Moreover. 

<r(A+0C  :$,!,/$,*)  =  4,,  «  G  k, 

o(A+DC)  =  .1,, 

where  S0*  =  X,  and  .1,  («  G  k)  are  arbitrary  symmetric  sets. 

Proof:  The  proof  is  the  dual  of  the  one  given  in  [17],  and  hence  is  omitted 


A  family  of  failure  signatures  satisfying  the  solvability  conditions  of  TDFP  not 


necessarily  a  strongly  identifiable  family.  However,  it  is  clear  from  Theorem  6  that  any 
strongly  identifiable  family  of  failure  signatures  satisfies  the  solvability  conditions  of 
TDFP.  For  such  families,  the  order  of  the  filter  that  solves  TDFP  is  only  n  (same  as 
the  order  of  the  system  model).  On  the  other  hand,  RDDFP  may  not  have  a  solution 
for  this  family  of  failure  signatures,  since  Massoumnia  showed  in  [14j  that  strong 
identifiability  is  a  necessary  but  not  sufficient  condition  for  the  solvability  of  RDDFP. 

Our  last  remark  concerns  the  case  of  simple  sensor  failures  that  can  be  modeled  by 
taking  /,  in  (2)  as  columns  of  the  identity  matrix.  Using  some  of  the  results  of  [14],  we 
know  that  a  family  of  failure  signatures  with  output  separable  detection  spaces  (cf.  [14]) 
is  strongly  identifiable.  Recall  that  the  detection  space  T*  of  the  failure  signature  £,, 
was  defined  in  [14]  as  follows  (also  see  [2]: 

V  :=  inf  5(U,),  (42) 

and  that  a  family  of  detection  spaces  {T*,  i  6  k)  was  termed  output  separable  if  the 
output  images  of  the  detection  spaces  were  independent,  i.e.,  if 

C7i*n(E;V,CT/)  =  0- 

Using  the  state  space  augmentation  procedure  given  in  Section  2.  it  is  always  possible  to 
model  /  simple  sensor  failures  as  a  family  of  /  pseudo-actuator  failures  with  output 
separable  detection  spaces.  Now  using  the  preceding  remarks,  it  follows  immediately 
that  there  always  exists  an  n+l  dimensional  filter  with  arbitrarily  assignable  spectrum 
that  triangularly  detects  and  identifies  any  family  of  l  sensor  failures,  assumtng  that  the 
actuators  are  fully  reliable.  This  fact  is  one  of  the  most  useful  applications  of  TDFP 
For  more  details  we  refer  the  reader  to  [15]. 
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0.  Failure  Detection  and  Identification  Filter  Problem 

Our  objective  in  this  section  is  to  state  necessary  and  sufficient  conditions  for  it  to  be 
possible  to  design  a  residual  generator  that  can  be  used  to  uniquely  detect  and  identify  a 
failure  within  a  family  of  k  possible  failure  events,  assuming  that  only  one  failure  is 
present  at  a  time.  This  problem  will  lead  to  the  introduction  of  the  fundamental 
concept  of  an  identifiable  family  of  failure  signatures. 


I 


| 


In  order  to  treat  the  above  problem,  it  is  necessary  to  more  concretely  define  the 
coding  sets  /?,  (i  £  k)  introduced  in  Section  2.  Define  an  auxiliary  coding  matrix 
J  =  [$..]  with  f>ij—  1  if  «  €  for  i  £  p,  and  btJ  =  0  otherwise.  An  element  btJ  =  0 
implies  that  the  j-th  component  failure  should  not  affect  the  i-th  residual,  while.  6tJ  =  1 
implies  that  the  j-th  component  failure  should  affect  the  i-th  residual,  in  the  sense  that 
the  transfer  matrix  relating  the  j-th  component  failure  to  the  i-th  residual  should  be 
input  observable.  Hence,  our  goal  is  to  design  a  residual  generator  such  that  the 
transfer  matrix  relating  the  failure  events  to  the  residual  vectors  is  structurally  the 
same  as  the  coding  matrix  Ji  defined. 

Example  3:  Assume  that  six  failure  events  are  present,  and  three  residuals  are 
defined  such  that  i?1  =  {l},  /?.>=  { 2 } ,  i?3=  { 1.2},  f?.j={3}.  /?5={1.3},  and  J?(l=  1 2.3} 
Using  the  definition  of  a  coding  matrix,  we  construct  _1: 


J  = 


I 

0 

0 


0 

1 

0 


1 

1 

0 


0 

0 

l 


1 

0 

1 


0 

1 

1 
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The  coding  scheme  used  in  this  example  is  called  a  binary  coding.  This  is  because  the 
columns  of  J  (e  g.,  (0,  I,  Ij ')  are  just  the  binary  representations  of  the  corresponding 
column  indices  of  J  (e  g.,  6).  When  binary  coding  is  used,  the  minimum  number,  p.  of 
residuals  is  simply 


p  =  [log.,  (*+!)], 


11) 
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where  [xj  if  the  smallest  integer  such  that  [x]  >  x  .  It  is  simple  to  show  that  the 
number  given  in  (44)  is  the  minimum  number  of  residuals  required,  no  matter  what 
coding  scheme  is  used.  This  is  the  major  desirable  attribute  of  binary  coding.  However, 
intuitively  speaking,  the  probability  of  false  identification  associated  with  this  coding 
scheme  can  be  large.  In  the  event  of  a  failure,  some  of  the  residuals  may  not  cross  the 
threshold,  and  therefore  a  totally  incorrect  component  may  be  identified  as  having 
failed. 

Now  some  of  the  fundamental  properties  of  the  coding  matrix  A  are  pointed  out 
First  of  all,  no  row  of  A  should  be  identically  zero,  since  a  zero  row  implies  that  none  of 
the  failure  events  affect  the  residual  corresponding  to  this  row,  hence  this  residual  is 
superfluous.  .\lso.  no  column  of  A  should  be  identically  zero  since  the  failure  event 
corresponding  to  this  column  would  not  affect  any  of  the  residuals  and  therefore  could 
not  be  detected.  Most  importantly,  no  two  columns  of  A  should  be  the  same,  since 
otherwise  the  failures  of  the  components  corresponding  to  these  columns  could  not  be 
distinguished  from  each  other.  Finally,  note  that  permutation  of  the  rows  and  columns 
of  A  corresponds  to  a  renumbering  of  the  residuals  and  the  failure  events  respectively 

We  also  define  the  sum  (  +  )  of  any  two  rows  of  .A  as  the  Boolean  OR  of  the  elements 
of  one  row  with  the  corresponding  elements  of  the  other  row  I'sing  this  definition,  one 
has  for  example 

[I.  0,  Oj  +  (I,  1.  0]  =  [1,  1,  0|. 

Clearly,  any  row  of  A  that  is  the  sum  of  other  rows  of  A  is  redundant.  For  example, 
assume  that  for  some  coding  matrix  the  first  row  is  the  same  as  the  sum  of  the  second 
and  third  rows.  Then  the  second  and  third  residuals  are  sufficient  for  FDI  purposes, 
and  the  first  residual  is  not  necessary;  however,  this  redundant  residual  may  be  useful  in 
the  decision  making  process,  given  the  presence  of  noise  and  uncertainties. 

Now  define  the  finite  set  T,  as  the  collection  of  all  those  ;£  k  for  which  bX}  =  0  For 
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example,  the  family  T,  (i  €  p)  associated  with  the  binary  coding  sets  we  used  in 
Example  3  is  simply: 

/’l  =  {2,4,6},  r2  =  {1,4.5},  r3=  {1,2,3}. 

Note  that  the  sets  T,  (i  G  p)  contain  ail  the  information  required  for  specifying  the 
structure  of  the  transfer  matrix  relating  the  failure  events  to  the  residuals. 

I'sing  the  above  preliminary  concepts,  we  now  derive  the  solvability  condition  for 

FDIFP. 


Theorem  7:  FDIFP  with  a  given  family  of  coding  sets  and  the  assumption 
that  there  is  only  one  failure  present  at  a  time  has  a  solution  if  and  only  if 

Sr.nl;  =  0,  >€k-r,.  i €  p,  (45) 

where 

V, ■  <»l 

Proof:  (only  if)  Recall  that  the  objective  of  FDIFP  is  to  generate  p 
residuals,  (/)  (/ €  p),  such  that  when  the  j-th  component  fails,  the  residuals 
r,(/)  for  I  6  ft}  should  be  nonzero,  and  the  other  residuals  all  should  be 
identically  zero.  We  can  think  of  FDIFP  as  p  separate  FPRG  (see  Section  3)- 
one  for  each  row  of  A-  which  should  be  solvable  simultaneously.  Using  the 
necessary  condition  for  solvability  of  FPRG  (see  Theorem  2)  and  the 
assumption  that  there  is  only  one  failure  present  at  a  time,  the  condition  given 
in  (45)  follows  immediately. 

(if)  Simply  use  the  unobservability  subspaces  Sp  (i  €  p)  to  design  p  separate 
residual  generators  each  being  the  solution  to  an  FPRG  corresponding  to 
different  rows  of  the  coding  matrix  (see  Theorem  2  for  construction  of  the 
residual  generator).  ^ 


32 


process  noise  hold  equally  well  for  the  residual  generators  of  Theorem  7. 


The  following  example  illustrates  the  design  procedure. 


Example  4:  Consider  the  system  in  (3),  with 


A  = 


’  1 

1 

0 

0 

0  ' 

’  1 

0 

0 

0 

0 

0 

0 

1 

0 

0 

0 

1 

1 

0 

0 

1 

1 

0 

0 

-l 

1 

0 

,B  = 

0 

0 

1 

0 

0 

0 

0 

0 

0 

-2 

0 

0 

0 

1 

0 

1 

0 

0 

0 

0 

0 

-2 

0 

0 

0 

1 

0 

1 

C  = 


10  10  0 
0  10  10 
0  0  10  1 
0  0  0  1  1 


and  the  failure  signature  L,  being  the  i-th  column  of  B.  The  problem  is  to  design  a 
residual  generator  using  the  binary  coding  scheme  of  Example  3.  The  coding  matrix  J 
for  this  example  is  given  in  (43).  First,  the  infimal  subspaces  Sr.  defined  in  (46)  are 
computed.  One  can  show  that 


$rL  =  {-2  0  ^-4 
$r2  —  L  i  0  *-4  0  *-5 
sr3  =  ^i  0  ^2  ©  4 

A  simple  check  shows  that  the  necessary  condition  in  (45)  is  satisfied.  Hence  Sr  can  be 
used  to  design  a  residual  generator  27,  according  to  the  procedure  in  Theorem  2.  It  is 
clear  that  27j  will  be  a  third  order  filter,  and  the  other  two  residual  generators  27j  and 
273  will  each  be  second  order  filters.  Therefore,  the  over  all  residual  generator  is  7-th 
order. 


We  also  point  out  that  if  the  columns  of  L  are  permuted  (this  permutation 
corresponds  to  a  renumbering  of  the  failure  signatures),  then  the  problem  may  not  have 
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a  solution.  First  note  that  the  failure  signature  £6  is  a  linear  combination  of  the  failure 
signatures  L>  and  L 4,  and  now  consider  interchanging  the  fifth  and  the  sixth  columns  of 
L  but  still  using  the  coding  matrix  in  (43).  It  is  immediate  that  the  new  problem  does 
not  have  a  solution,  since  the  new  £s  is  a  linear  combination  of  L2  and  C4,  and  the 
solvability  conditions  of  FDIFP  are  not  satisfied.  Thus,  in  practice,  care  should  be 
taken  to  specify  the  coding  sets  in  a  way  that  avoids  such  easily  resolved  difficulties. 


Our  objective  is  now  to  show  that  FDIFP  will  not  have  a  solution  for  certain  families 
of  failure  events,  no  matter  what  coding  scheme  is  used.  For  this,  we  shall  assume  in 
the  remainder  of  this  section  that  the  failure  signatures  are  column  vectors. 

The  following  result  will  be  crucial  to  our  derivation. 

Lemma  8:  Let  ( C,A )  be  observable,  c/( £. 4)  =  d(L2)  =  1,  and  L1  C  To* 
where  T2*  :=  inf  5(L2).  Then  T{*  =s  To*  where  Tx*  :=  inf  S(L{). 

Proof:  Since  Ll  C  T2*  and  T2*  is  a  u.o.s.,  T>*  E  5( jL i).  Thus  the 
infimality  of  Tj*  implies  that  Tj*  C  T>*,  and  hence  CTj*  C  CTo*.  From  the 
observability  of  (C,A)  and  some  of  the  results  of  [14),  we  know  CTj*  and  CTo* 
are  both  one  dimensional;  thus  CTj*  =  CTo*,  or  equivalently 

V  +  Ker  C  =  V  +  Her  C  :=  V.  (47) 

Also  To*  and  T|*  are  compatible  since  T^+To*  =  To*  is  (C,A)-invariant  (see 
(15J).  Let  D  6  r\D[T*).  Using  (47)  and  (7),  we  have 

To*  =  <  V[A+Z>C>  =  Tj*. 


Theorem  8:  Given  an  LTI  system  ( C,A,B )  with  a  family  of  failure 
signatures  {£,,  i  E  k}  with  arbitrary  modes  of  failures,  and  assuming  that  there 
is  only  one  failure  present  at  a  time,  it  is  possible  to  design  a  coding  set  and  a 
residual  generator  to  detect  and  identify  any  failure  within  this  family  if  and 
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only  if 


Lt  n  Tj*  =  0,  Ijekj^j,  (48) 

where  T*  :=  inf  S(£,). 

Proof:  (only  if)  Suppose  that  we  have  designed  a  residual  generator  with  an 
appropriate  family  of  coding  sets.  Recall  that  no  two  columns  of  the  coding 
matrix  associated  with  these  coding  sets  should  be  the  same.  Using  this 
property,  it  follows  that  for  any  two  distinct  integers  l,j  G  k,  there  should 
exist  an  i  such  that  either 

;€r,but/gr<,  (49) 

or 

/e/’.butygr,.  (so) 

Now  let  the  family  of  detection  spaces  {T*,  i  6  k}  be  as  defined  in  (42).  If  (50) 
holds,  then  obviously  T*  C Sr..  Similarly,  if  (49)  holds,  then  T*  C  Sr..  Now 
using  the  necessary  condition  given  in  (45)  and  the  argument  in  (49)  and  (50), 
it  follows  that  for  any  l,j  G  k 

either  f|  Tj*  =  0  or  LjD  T*  =  0.  (51) 

Using  (51)  and  Lemma  8,  we  then  conclude  that  (48)  necessarily  should  hold. 
Because  of  Lemma  8,  the  condition  given  in  (48)  is  also  equivalent  to 

t,nr/  =  o,  /ek,  >g  {/+i,  . . .  ,*}.  (52) 

(if)  We  need  to  show  that  if  a  family  of  failure  signatures  satisfies  the 
condition  given  in  (52),  then  there  exists  a  family  of  coding  sets  for  which  the 
FDIFP,  with  the  assumption  that  only  one  failure  is  present  at  a  time,  has  a 
solution.  For  this,  just  use  the  coding  sets 

/?,  =  {! - i-l, »+l - *},  «  G  k,  (53) 
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to  design  fc  different  residual  generators  such  that  the  unobservable  subspace  of 
the  i-th  residual  is  simply  T*,  so  that  the  failure  of  the  i-th  component  will  not 
show  up  in  this  residual.  0 

Note  that  if  we  are  using  the  coding  sets  (53)  to  design  the  residual  generator,  then 
the  unobservable  subspace  of  the  i-th  residual  is  exactly  the  detection  space  we  defined 
earlier.  Hence,  a  more  appropriate  name  for  such  a  subspace  seems  to  be  the 
undetectable  subspace  of  a  failure  signature,  but  in  order  to  conform  with  the  notions 
introduced  in  the  work  of  Beard  [2],  we  chose  to  continue  to  use  the  name  detection 
spaces. 

A  family  of  scalar  failure  signatures  {Li%  i  €  k}  satisfying  the  condition  given  in  (52) 
will  be  called  an  identifiable  family  of  failure  signatures.  Note  that  if  a  family  of  failure 
signatures  is  not  identifiable,  then  there  does  not  exist  any  processor  with  which  it  is 
possible  to  detect  and  identify  the  failures  in  the  sense  of  Section  2. 

ft  is  also  possible  to  state  the  frequency  domain  counterpart  of  the  failure 
identifiability  condition  given  in  (52).  From  (39),  we  know  that  the  condition 

jC,  fl  T/  —  0  and  LjCl  Tt*  =  0 

is  equivalent  to  the  statement  that  the  transfer  matrix  C(sl— A)_1[L,,  LJ  is  left 
invertible.  Hence,  the  condition  in  (52)  is  equivalent  to  the  statement  that  the  rational 
vector  subspaces  spanned  by  C(sI—A)"1Li  are  nonintersecting.  Note  that  the  necessity 
of  this  condition  is  obvious,  since  if  the  image  of  C(sl—  A)_1L,  (over  the  field  of  rational 
functions)  intersects  the  image  of  C(sI—A)~lLj,  then  there  exist  proper  rational 
functions  m,(i)  and  mj^s)  such  that 

C{sl—  A)~x  L^m  ^s)  —  CisI—A^^Ljmj^s). 

This  means  that  there  exist  failure  modes  for  the  i-th  and  the  j-th  components  that 
result  in  the  same  output;  hence,  it  will  be  impossible  to  distinguish  between  the  failure 
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of  these  two  components  with  these  failure  modes  by  observing  the  output  of  the 
system. 

7.  Conclusion 

In  this  paper  we  have  solved  the  problem  of  generating  residuals  for  the  purpose  of 
detecting  and  identifying  control  system  component  failures  by  processing  the 
commanded  inputs  and  measured  outputs  of  a  linear  time-invariant  system.  We  have 
also  developed  simple  design  procedures  for  generating  the  residuals  when  the  solvability 
conditions  are  satisfied. 

We  should  mention  that  all  of  our  results  hold  equally  well  for  discrete-time  systems, 
since  our  approach  has  been  entirely  geometric.  Therefore,  the  left  hand  side  of  (3)  can 
be  replaced  with  x(f+l)  and  the  solvability  condition  for  all  of  the  problems  that  we 
have  formulated  here  will  remain  unchanged.  An  interesting  characteristic  of  residual 
generators  for  discrete-time  systems  is  that  we  can  assign  the  spectrum  of  the  filter  to 
the  origin  of  the  complex  plane,  and  hence  obtain  dead-beat  behavior.  It  can  be  shown 
that  the  residuals  thus  obtained  are  the  generalized  parity  relations  introduced  by  Chow 
(5).  We  refer  the  reader  to  [16]  and  [15]  for  a  more  complete  discussion  of  the 
relationship  between  the  generalized  parity  relations  and  the  residual  generators 
discussed  in  this  article. 

A  challenging  problem  that  we  did  not  address  in  this  paper  is  the  task  of  generating 
residuals  that  are  robust  to  the  modeling  errors.  Lou  [12,  13]  and  Chow  [4,  5]  have  done 
some  preliminary  work  on  the  problem  of  robust  parity  relations.  Using  our  results,  it  is 
clear  that  the  residual  generator  is  a  finely  tuned  processor  that  relies  on  the  given 
dynamics  of  the  plant.  Specifically,  for  actuator  failures,  the  design  of  the  processor 
relies  on  inverting  the  transfer  matrix  of  the  system,  which  can  be  quite  sensitive  to 
changes  in  the  system  parameters.  We  also  point  out  that  the  issue  in  robust  residual 
generation  is  not  simply  the  stability  of  the  perturbed  system  as  in  many  robust  control 
system  problems,  but  the  preservation  as  nearly  as  possible  of  the  diagonal  structure  of 
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the  transfer  matrices  in  the  presence  of  plant  uncertainties.  This  is  a  much  more 
complicated  problem  and  deserves  the  attention  of  researchers  in  linear  system  theory 


and  robust  control. 
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